Practical Quantum Key Distribution with Polarization Entangled Photons 



A. Poppe/'Q A. Fedrizzi, 1 T. Loriinser, 2 0. Maurhardt, 2 R. Ursin, 1 H. R. Bohm, 1 M. 

Peev, 2 M. Suda, 2 C. Kurtsiefer, 3 H. Weinfurter, 3 T. Jennewein, 4 and A. Zeilinger 1,4 

1 Institut fur Experimentalphysik, Universitat Wien, Boltzmanngas.se 5, 1090 Wien, Austria 
2 ARC Seibersdorf Research GmbH (ARCS), 2444 Seibersdorf, Austria 
3 Sektion Physik, Ludwig- Maximilians- Universitat, D-80797 Munchen, Germany 
J * Institute for Quantum Optics and Quantum Information, 
Austrian Academy of Sciences, Boltzmanngasse 3, 1090 Wien, Austria 
(Dated: 1st February 2008) 

We present an entangled-state quantum cryptography system that operated for the first time 
in a real-world application scenario. The full key generation protocol was performed in real-time 
between two distributed embedded hardware devices, which were connected by 1.45 km of optical 
fiber, installed for this experiment in the Vienna sewage system. The generated quantum key was 
immediately handed over and used by a secure communication application. 



INTRODUCTION 

Quantum cryptography Q is the first technology in the 
area of quantum information that is in the process of 
making the transition from purely scientific research to 
an industrial application. In the last three years, sev- 
eral companies have started developing quantum cryp- 
tography prototypes and the first products hit the market 

aia. 

Up to now, these commercial products are all based 
on various implementations of the BB84 [£j protocol. Be- 
cause of the unavailability of true single-photon sources, 
today's commercially available quantum cryptography 
systems rely on photons from attenuated laser pulses, 
as an approximation of the single photon state. How- 
ever, the produced state has a non-vanishing probability 
to contain two or more photons per pulse, leaving such 
systems prone to an eavesdropping through a beam split- 
ter attack. Although this attack is considered in recent 
security proofs given for the BB84 protocol 0,0], a true 
single photon source is conceptually preferable. 

An elegant alternative is quantum cryptography based 
on entangled photon pairs (gj, which does not depend 
on photons from attenuated laser pulses. In our im- 
plementation of entangled-state quantum cryptography 
we make use of pairs of single photons, which are in- 
dividually completely unpolarized. Information is only 
stored in correlations between the results of measure- 
ments on the individual photons of a pair. With today's 
entangled photon sources the probability of double pair 
emissions is much lower than the probability of double 
photon emission in weak coherent pules systems. There- 
fore entangled-state quantum cryptography systems are 
closer to the original idea of quantum cryptography. Fur- 
thermore, it can be shown [9] that entanglement-based 
systems have a better performance in certain situations. 
Additionally the randomness of the generated key as re- 
quired for a secure one-time-pad cipher 0] is guaran- 
teed by the quantum randomness of the measurement 




Figure 1: A quantum cryptography system is installed 
between the headquarters of a large bank (Alice) and 

the Vienna City Hall (Bob). The beeline distance 
between the two buildings is about 650m. The optical 
fibers were installed some weeks before the experiment 
in the Vienna sewage system and have a total length of 
1.45 km. 

process, whereas in attenuated laser quantum cryptogra- 
phy the random encoding has to be achieved by using an 
external random number generator. Thus, a fundamen- 
tal point is that in entangled-state quantum cryptogra- 
phy the key comes spontaneously into existence at both 
measurement stations while in the BB84 protocol it still 
has to be transmitted from Alice to Bob. Experimen- 
tally, entangled-state quantum cryptography has been 
first demonstrated in 1998 using polarization-entangled 
photon pairs 0, 0] . Alternative schemes are based for 
example on energy-time entanglement [13 |. Recent devel- 
opment of c omp act, highly efficient sources for entangled 
photons (l4l ITi* fig make entangled-state quantum key 
distribution in real-life applications feasible. 

In this article we present an entangled-state quantum 
cryptography prototype system in a typical application 
scenario. In the experiment reported here, it was possible 
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to distribute secure quantum keys on demand between 
the headquarters of an Austrian bank and the Vienna 
City Hall (see Figure^} using polarization-entangled pho- 
ton pairs. For key generation both measurement stations 
switched randomly between complementary bases ^| as 
also employed in the BB84 protocol. The produced key 
was directly handed over to an application that was used 
to send a quantum secured online wire transfer from the 
City Hall to the headquarters of Bank-Austria Credi- 
tanstaltjli. 

The quantum cryptography system used (see FigureEJ) 
consists of the source for polarization-entangled photons 
located at the bank, two combined polarization analy- 
sis and detection modules and two electronic units for 
key generation. These two quantum cryptography units 
which handled the five steps of secure key generation - 
real-time data acquisition, key sifting, error estimation, 
error correction and privacy amplification - are based on 
an embedded electronic design and are compatible with 
classical telecommunication equipment. The quantum 
channel between Alice and Bob consisted of an optical 
fiber that has been installed between the two experimen- 
tal sites in the Vienna sewage system (by WKA / Ca- 
bleRunner Inc.). The exposure of the fibers to realistic 
environmental conditions such as stress and strain during 
installation, as well as temperature changes were an im- 
portant feature of this experiment, as it shows that our 
system not only works under laboratory conditions, but 
also in a realistic quantum cryptography scenario. 

THE EXPERIMENTAL SETUP 

The entangled photon pairs used in our cryptography 
prototype were produced using a compact device based 
on type-II spontaneous parametric down-conversion 
llflj . Using a 16 mW violet laser diode as pump source, it 
was possible to generate and locally detect about 8.200 
pairs per second. The photon pairs had a center wave- 
length of 810 nm and a FWHM bandwidth of 5.6 nm. 
The visibility of the produced entangled state \ip~) under 
local detection was above 96%. For key generation one 
photon of the pair was directly sent to Alice's detection 
module (see FigureEJ, while the other photon was sent to 
the second receiver via 1.45 km of optical fiber. The fiber 
used for the quantum channel was single mode for 810 nm 
and had an average attenuation of about 3.2 dB per kilo- 
meter resulting in a total attenuation of 6 dB including 
the connectors. The compensation of polarization rota- 
tion in the fibers was done using fiber polarization con- 
trollers. Alignment of the controllers was done offline 
before the quantum cryptography protocol was started, 
using alignment software which calculated and displayed 
the quantum bit error rate of the transmission system 
in real-time based on the single photon detection events. 
With two linear polarizers in both arms of the entangle- 



ment source the polarization controllers were adjusted to 
compensate for the arbitrary polarization rotation. It 
turned out that the polarization was stable for several 
hours, therefore online measurement and compensation 
for polarization drift was not necessary. 

A prototype of a currently developed dedicated QKD- 
hardware was used for the first time in this experiment 
[2oT |. It consists of three main computational components 
best suited to manage all signal acquisition and QKD 
protocol tasks. All three units are situated on a single 
printed circuit board. The main task of the board is key 
acquisition, i.e. the processing of the signals detected by 
the four detectors on each site of the QKD system. 

The board handles also the synchronization channel 
and generates a strong laser pulse whenever a photon 
counting event is detected at Alice's site. This is ensured 
by a logical OR connection of the detector channels as 
shown on Figure 2. The synchronization laser pulse is at 
the wavelength of 1550nm and it is sent over a separate 
single mode fiber. The developed detection logic is im- 
plemented in a FPGA and runs at a sampling frequency 
of 800MHz, while employing a time window of 10 ns for 
matching the detection events and synchronization sig- 
nals. The synchronization mechanism allows an identical 
realisation of the higher level electronics at both sides and 
thus enables the development of universal QKD devices. 

The classical communication between the two devices 
is carried over a TCP/IP connection, provided by an Eth- 
ernet bridge. 

When fully developed the QKD hardware will be 
equipped with a full scale QKD protocol modular library 
allowing seamless interchange of relevant algorithms, as 
well as an encryption library, comprising a number of 
state of the art encryption algorithms in addition to the 
standard one-time pad. In addition to the main "em- 
bedded" modus, the libraries can be used in a developer 
modus - in the framework of an alternative computing 
environment (PC, etc.). 

In the current experiment the high speed electronics 
had only been used for measuring detector events, hence, 
it worked in a developer mode passing the data to an 
outside PC running the protocol software stack and a 
graphical user interface (GUI). The library modules uti- 
lized in the current experiment include data acquisition, 
error estimation, error correction, implementing the algo- 
rithm CASCADE I2J, privacy amplification and a proto- 
col authentication algorithm, ensuring the integrity of the 
quantum channel |22j, using a Toplitz matrix approach. 
Furthermore the encryption-library modules applied in- 
clude one-time pad and AES encryption schemes, the lat- 
ter allowing key exchange on a scale determined by the 
user. 

The average total quantum bit error rate (QBER) was 
found to be less than 8%, for more than the entire run 
time of the experiment. An analysis of the different con- 
tributions to the QBER showed that about 2.5% comes 
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Figure 2: Sketch of the experimental setup of the experiment. An entangled state source pumped by a violet laser 
diode (LD) at 405nm produces polarization-entangled photon pairs. One of the photons is locally analyzed in Alice's 
detection module, while the other is sent over a 1.45 km long single- mode optical fiber (SMF) to the remote site 
(Bob). Polarization measurement is done randomly in one of two bases (|0°) and |45°)), by using a beam splitter 
(BS) which randomly sends incident photons to one of two polarizing beam splitters (PBS). One of the PBS is 
defined to measure in the |0°) basis, the other is the |45°) basis turned by a half wave plate (HWP). The final 
detection of the photons is done in passively quenched silicon avalanche photodiodes (APD). When a photon is 
detected in one of Alice's four avalanche photodiodes an optical trigger pulse is created (Sync. Laser) and sent over 
a second fiber to establish a common time basis. At both sites, the trigger pulses and the detection events from the 
APDs are fed into an dedicated quantum key generation (QKG) device for further processing. This QKG electronic 
device is an embedded system, which is capable of autonomously doing all necessary calculations for key generation. 



from imperfections of the detection modules, 1.2% from 
the imperfect production of the entangled state. As these 
two contributions are practically not accessible to eaves- 
dropper ji^l we subtracted these contributions for consid- 
eration in privacy amplification. The rest of the QBER 
can be attributed to the error produced by the quan- 
tum channel. For the data presented in this article, the 
number of bits discarded in privacy amplification is auto- 
matically adjusted to the number of bits disclosed during 
error correction and the QBER of the quantum channel. 
The average raw key bit rate in our system was found to 
be about 80 bits/s after error correction and privacy am- 
plification. This value is mainly limited by the detection 
efficiency of the avalanche photo diodes used as well as 
the attenuation on the quantum channel. 

SECURE KEY GENERATION 

In this section we present a subset of the data obtained 
in our experiment. It covers 18 minutes of data acqui- 
sition and key generation. Within that time period Al- 
ice's detectors registered overall more than 12.8 million 
counts. The same number of synchronization pulses was 
sent to Bob. After determination of coincidence events 
and key sifting a total of 244765 bits remained for fur- 
ther processing by the classical algorithms. For this pur- 
pose, the raw data was continuously grouped into blocks 
of approximately 2500 bits, which where submitted in- 
dividually to the following classical protocols. Publicly 



announcing 25% of the bits in each block was done for es- 
timating the quantum bit error (QBER) of the sifted key. 
The average value of the estimated error rate and the real 
error rate, calculated by directly comparing Alice's and 
Bob's sifted key after the experiment, was found to be 
6.25% and 6.44% respectively. Even though the average 
value of the estimated error rate matches the real error 
rate, the small sampling size gives strong deviations in 
individual blocks. 

The remaining 183574 bits after error estimation were 
then submitted to the error correction process. Due to 
the disclosing of bits during error correction, the useable 
key size has to be further reduced to 110226. In the last 
stage of the protocol, privacy amplification reduced the 
error-corrected key depending on the estimated QBER 
for each individual block, leaving a total of 79426 bits 
for the final secure quantum key. This corresponds to an 
average key distribution rate of 76 bit/second. 

Results for individual blocks are presented on Figure 
03 There the blocks have been ordered by the estimated 
quantum bit error rate rather than the order of their ac- 
quisition. The acquisition time of the individual blocks, 
plotted in the upper part of Figure is almost constant 
and shows no correlation with the error rate. Also there 
the estimated error rate is shown in comparison with the 
real error determined after the experiment. One can see 
that the estimated error nicely fits the real error rate. 
Only for a small percentage of blocks, the error is over- 
or underestimated. By increasing the size of the individ- 
ual blocks and therefore improving the sampling of the 
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Figure 3: Results obtained during 5 minutes of the 
running experiment. The cryptography device worked 
with blocks of raw data which were estimated to consist 
of 2500 bits after sifting. Each key block was processed 
by the full quantum cryptography software consisting of 
key sifting, error estimation, error correction and 
privacy amplification (see text). The blocks in this 
graph have been sorted by the QBER rather than the 
order of their acquisition, (a) In the topmost graph one 
can see estimated QBER for the individual blocks as 
well as the real QBER determined by directly 
comparing the whole sifted key over subsequent 
measurement data blocks being processed by the device. 
This calculation was only done for evaluation of the 
system and is obviously not possible online for a real 
key exchange where it is replaced by error estimation. 
Additionally one can see the time it took to acquire the 
raw data of the given block. (b)The graph in the middle 
shows the length of the final key, the number of bits 

disclosed by CASCADE and the number of bits 
discarded in privacy amplification, (c) In the lower 
graph one can see the final secure bit rate produced by 
our system. 



error estimation, this effect can be mitigated. The over- 
and underestimation of the QBER can also be seen in 
the second graph of Figure 03 where the amount of bits 
discarded by privacy amplification is plotted for the indi- 
vidual blocks. In the last graph of FigureElthe bit rate of 
the individual blocks is shown. One can clearly see the 
expected behavior: The number of final bits is mainly 
dominated by the estimated error rate. 



CONCLUSION 

The experiment reported here demonstrates the oper- 
ation of an entangled-state quantum cryptography pro- 
totype system. All calculations were done in real-time on 
a distributed embedded system. Furthermore we demon- 
strate the successful run of our quantum cryptography 
system in a real world application scenario outside ideal 
laboratory conditions. The results clearly show that en- 
tangled photon systems provide a good alternative for 
weak coherent pulse systems, with the additional benefit 
of rendering the beamsplitter attack much less efficient 
and thus being closer to the ideal BB84 quantum cryptog- 
raphy idea than systems based on weak coherent pulses. 
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